[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Security readout for executives and security teams
Plain-English summary
CVE-2026-23559 is an XAPI RBAC flaw where a VM administrator can reach beyond their intended role and access dom0 host files through virtual disk configuration. This can expose or alter sensitive host files, turning a delegated VM-management role into a serious host integrity risk.
Executive priority
Treat as urgent for virtualized infrastructure with delegated administration. Prioritize environments where non-root teams, tenants, or automation hold vm-admin privileges, because the flaw can expose or alter host-side dom0 files.
Technical view
In Xen XAPI, vm-admin can set VBD.other_config:backend-local and make arbitrary dom0 files appear as VDIs for a VM they control. The source describes arbitrary read and/or modification of dom0 files. CVSS v4.0 is 9.4 critical, with local attack vector.
Likely exposure
Exposure is most likely in Xen/XAPI environments that delegate vm-admin privileges to users, automation, or service accounts. The source bundle lists Xen XAPI as affected across all versions, but does not provide detailed fixed-version boundaries.
Exploitation context
The bundle does not show KEV listing or active exploitation evidence. The described abuse requires a vm-admin-capable actor and affects dom0 file confidentiality and integrity, which can materially weaken host and pool security.
Researcher notes
The CNA record groups several XAPI RBAC issues; this analysis addresses only CVE-2026-23559. The source does not include exploit code, observed exploitation, or fixed versions. Validate against XSA-489 before asserting patch state.
Mitigation direction
Review Xen XSA-489 and apply any vendor-provided fixes or updates.
Restrict vm-admin assignments to trusted administrators only.
Remove unused or overly broad XAPI RBAC accounts.
Audit automation tokens with vm-admin privileges.
Monitor for suspicious VBD.other_config changes.
Validation and detection
Inventory Xen/XAPI hosts and pools using RBAC.
List users and service accounts with vm-admin role.
Review VBD.other_config for backend-local entries.
Check VM disks for unexpected dom0-backed mappings.
Confirm remediation status against Xen XSA-489 guidance.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-250: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
2Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-250 · source CWE mapping
Execution with Unnecessary Privileges
Execution with Unnecessary Privileges represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.